cdh5.12.2 开启kerberos认证
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了cdh5.12.2 开启kerberos认证相关的知识,希望对你有一定的参考价值。
- 一:kdc 服务的安装与配置
- 二:集群所有节点安装Kerberos客户端(包括CM)
- 三:CDH集群启用Kerberos
一: kdc 服务的安装与配置
1.1 安装kdc服务
# yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation -y
1.2 配置kdc 服务
vim /etc/krb5.conf
---
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = GEMS.COM
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
GEMS.COM = {
kdc = node01.yangyang.com
admin_server = node01.yangyang.com
}
[domain_realm]
.node01.yangyang.com = GEMS.COM
node01.yangyang.com = GEMS.COM1.3 修改/var/kerberos/krb5kdc/kadm5.acl
vim /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *
1.4 修改/var/kerberos/krb5kdc/kdc.conf
vim /var/kerberos/krb5kdc/kdc.conf
----
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
GEMS.COM = {
#master_key_type = aes256-cts
max_renewable_life = 7d
max_life = 1d
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
default_principal_flags = +renewable, +forwardable
}
1.5 创建Kerberos数据库
# kdb5_util create -r GEMS.COM -s
---
Loading random data
Initializing database ‘/var/kerberos/krb5kdc/principal‘ for realm ‘GEMS.COM‘,
master key name ‘K/[email protected]‘
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
---
输入认证的密码为: GEMS.COM
1.6 创建Kerberos的管理账号
# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: addprinc admin/[email protected]
WARNING: no policy specified for admin/[email protected]; defaulting to no policy
Enter password for principal "admin/[email protected]": [输入密码]
Re-enter password for principal "admin/[email protected]": [输入密码]
Principal "admin/[email protected]" created.
kadmin.local: exit 
1.7 启动krb5 的 服务
service krb5kdc start
service kadmin start
chkconfig krb5kdc on
chkconfig kadmin on 1.8 测试kerberos 的管理员账号
kinit admin/[email protected]
---> 输入密码:admin
# klist
二:集群所有节点安装Kerberos客户端(包括CM)
全部节点都要安装:
yum -y install krb5-libs krb5-workstation (所有节点都要安装)
CM节点安装额外组件
yum -y install openldap-clients (kdc-server 节点安装)2.1 节点同步krb5.conf 文件
scp /etc/krb5.conf node02:/etc
scp /etc/krb5.conf node03:/etc 三: CDH集群启用Kerberos
3.1 配置jdk 的 jce_policy-8.zip
# unzip jce_policy-8.zip
# cd UnlimitedJCEPolicyJDK8/
# cp -p *.jar /usr/java/jdk1.8.0_151/jre/lib/security/
# scp *.jar node02:/usr/java/jdk1.8.0_151/jre/lib/security/
# scp *.jar node03:/usr/java/jdk1.8.0_151/jre/lib/security/3.2 打开CM 的 界面配置启用kerberos
-
3.2.1 配置jdk 的目录:
- 3.2.2 KDC添加Cloudera Manager管理员账号
kadmin.local
Authenticating as principal admin/[email protected] with password.
kadmin.local: addprinc cloudera-scm/[email protected]
WARNING: no policy specified for cloudera-scm/[email protected]; defaulting to no policy
Enter password for principal "cloudera-scm/[email protected]": [输入密码]
Re-enter password for principal "cloudera-scm/[email protected]": [输入密码]
Principal "cloudera-scm/[email protected]" created.
密码为: Cloudera-scm
- 3.2.3 启用kerberos以上是关于cdh5.12.2 开启kerberos认证的主要内容,如果未能解决你的问题,请参考以下文章